[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

why is debianroot via HTTP not a security vulnerability to docker 32bit?

I had a look how docker images for 32bit are built. Despite looking very official by their namespace,  
32bit/ubuntu and
I found that "32bit" is nothing more than an idividual guy who created an account at docker hub in oct/2010. (https://hub.docker.com/u/32bit/) He created an "organization" at github, everyone can do that easily: https://github.com/docker-32bit. That organization consists of exactly "1 people", him. - lol

In his repository I find the build definition for docker 32bit debian, c.f. https://github.com/docker-32bit/debian/blob/i386/build-image.sh. In there I see he sets up the mirror and pretty much every "deb" reference with "http://"HTTP, not "https://";. From what I have found in Wikis of Debian and Ubuntu, HTTP still seems standard practice in the debian ecosystem. But I wonder how and where the downloaded binaries are verified against any checksums?

Even if there is only HTTP for Debootstrap, how can I make sure I received the latest official checksums via HTTPS from trusted channels for those downloaded binaries? 
Thank you. And a link to where I should have found the "f***ing manual" regarding debianroot security would also be very helpful.

Kind regards
(simeone not using real identity/email in fear of hackers who exploit such vulnerabilities)

Sent using Guerrillamail.com
Block or report abuse: https://www.guerrillamail.com//abuse/?a=RUR2DAwODrYahxqU%2FHcMZgeJSc%2BS29ZeiatQew%3D%3D

Reply to: